Identifying the Telltale Signs of State-Sponsored Operatives

North Korean threat actors are leaving behind a trail of telltale signs that could allow network defenders to spot and block malicious activity. Researchers with security firm ReliaQuest have identified a series of common blunders and activity patterns that groups working out of the Hermit Kingdom tend to exhibit.

In recent weeks, the ReliaQuest Threat Research team has investigated over 25 North Korean insider threats across its customer base. As part of a growing trend, these state-sponsored operatives infiltrate Western companies under fake identities, often posing as skilled freelancers or contractors to generate revenue for the North Korean regime.

Cybercrime is a favored tactic amongst the North Korean regime as the dictatorship looks to use stolen cryptocurrency funds as a means of working around economic sanctions. However, in doing so, the DPRK hacking groups have developed a distinctive set of behavioral patterns that experts believe can be traced to prevent possible scams before they turn into major financial or data breaches.

One of the common blunders employed by North Korean hackers is the use of fake job applications that are simply too good to be true. These phony applicants will often portray themselves as having credentials and experience far beyond what would be expected for someone seeking an entry or mid-level appointment. Specifically, ReliaQuest has seen a surge in North Korean IT workers going after full-stack development roles, especially in contractor and freelancer positions.

Their profiles are littered with red flags, boasting up to 12 years of sketchy, copy-paste experience that doesn’t pass the smell test. These accounts are ghost-like, with barely any posts, reactions, or comments, yet they pack a laundry list of flashy skills, including Blockchain, AI, Cryptocurrency, Smart Contracts, MERN/MEAN stack, Next.js, Tailwind CSS, AWS, Microservices, GraphQL, E-commerce, React, Angular, TypeScript, SQL, MongoDB, and Rust.

Another tell employed by North Korean hackers is the use of VPN and ISP services from countries allied with North Korea. In many cases, connections from North Korea are masked using the Astrill VPN application. When not covered, IP addresses are traced to the likes of China Unicom and Russia TTK ISPs, both providers operating with the blessing of their respective government regimes.

Finally, ReliaQuest noted that North Korean hackers also use IP-KVM tools, which allow the attackers to covertly access systems without leaving a traceable log of activity or software footprint. These devices are growing in popularity amongst cybercriminals due to their ability to evade immediate detection.